NUS Greyhats win invitation-only SWaT Security Showdown

10 August 2016 – Members of NUS Greyhats secured first place at the SWaT Security Showdown (S3), an invitation-only contest that was held late last month with participants from local and international universities and organisations.

The SCADA-based hacking contest was held at host SUTD’s Secure Water Treatment (SWaT) Lab, an industrial water system testbed for cybersecurity research. To test their defence mechanisms, participating teams were tasked to attack or defend SWaT systems during on-line and live phases.

The NUS Greyhats were designated attackers and were awarded points based on the skills they used to launch the attack and the number of defences they manage to circumvent. The other attacking teams were from Siemens AG (Germany), Applied Risk (Netherlands), Ernst & Young, Lancaster University (UK) and University of Illinois Urbana-Champaign (US). RSA (Singapore), Security Matters (Netherlands), Checkpoint + ICS2 (Singapore, Israel) and three SUTD teams played defenders. The NUS Greyhats team members were made up of computer science (CS), information systems (IS) and information security (ISC) undergraduates, a CS PhD student and a recent CS graduate. With no prior knowledge of SCADA systems, they scored a total of 987 points over the two phases of the contest, winning first place over some of the other more experienced teams.

Speaking on behalf of the team, third year computer science undergraduate Er Xue Hui describes the experience:

In the competition, we could assume a few different roles to carry out various attacks.

In the first attack, we showed that a disgruntled worker who has full access to the water system could manually change values on the admin system to control the water and chemical output, which can have disastrous effects as he could potentially cause a tank overflow or even prevent water treatment.

In our second attack, we performed a remote denial-of-service (DOS) attack. This can happen if the attacker has wireless access to the network. In this case, we spoofed ARP packets to the main server, preventing the admin system from knowing the values of the water and chemicals in the system. In a more complex scenario, the attacker can fake the values of the water and chemicals, making the operator think that the system is working fine, while it may actually not be performing as expected. This is a concern as the operator would not have control over the water treatment process, and we might not actually get water that is treated properly.

In our third attack, we showed that someone with physical access to the system can also manually unplug the wires to disconnect the system from the network. The attacker could then place a hardware backdoor on the network to control the amounts of water or chemicals used during the water treatment, which can be a serious problem.[One of the most challenging parts of the contest was the idea of] physically unplugging the cable from the system. It took us quite a long time to think of doing something like that, because it was our first time with such a system and we were not very sure what we could and could not do. In most other competitions, we had no physical access to the system or server, so we could not physically tamper with the system.

We were actually quite surprised [that we won], because from what we heard, some of the teams involved in the competition were doing research in the security of SCADA systems, and were thus were in a better position than us to score more points.